1
00:00:00,420 --> 00:00:01,110
Welcome back.

2
00:00:01,560 --> 00:00:07,090
It is time we're learning details what is information gathering and how can we perform it?

3
00:00:07,800 --> 00:00:13,860
We already know that information gathering is the first step in penetration testing, and it is an act

4
00:00:13,860 --> 00:00:16,460
of gathering data about our target.

5
00:00:17,340 --> 00:00:21,450
It can be any type of data that we might find useful for the future attack.

6
00:00:22,000 --> 00:00:26,370
And if you remember, there are two types of information gathering.

7
00:00:27,030 --> 00:00:31,920
We got active information gathering and passive information gathering.

8
00:00:33,000 --> 00:00:39,000
And we talked briefly about them, but now it is time to fully explain what both of them are.

9
00:00:40,020 --> 00:00:42,840
So let's start with active information gathering.

10
00:00:44,200 --> 00:00:51,550
In active information gathering, we use our Kleenex machine and we try to get as much data or as much

11
00:00:51,550 --> 00:00:55,710
information about our target while interacting with them.

12
00:00:56,870 --> 00:01:03,800
It could be a target website that we need to test, so we need to find as many things about it as we

13
00:01:03,800 --> 00:01:10,580
can, or it could also be a network that we are testing or perhaps an entire company.

14
00:01:11,530 --> 00:01:18,220
The main point is that with active information gathering, we directly get that data from the target.

15
00:01:19,830 --> 00:01:26,370
This could mean directly exchanging packets with the target by visiting and enumerating their website,

16
00:01:26,920 --> 00:01:30,710
or it could also mean talking to an employee that works there.

17
00:01:31,680 --> 00:01:38,250
We could maybe call them over mobile phone to try to get them to tell us something important, but this

18
00:01:38,250 --> 00:01:40,650
part is also considered social engineering.

19
00:01:41,490 --> 00:01:47,490
Nonetheless, any action where you exchange something with the target is active information gathering.

20
00:01:48,570 --> 00:01:55,770
This can be legal to an extent, if you start performing some advanced scans or fingerprinting on the

21
00:01:55,770 --> 00:02:01,440
target, you most likely won't get in trouble, but you should still not do it without permission.

22
00:02:02,280 --> 00:02:08,490
And it is important to mention that usually active information gathering will provide us with much more

23
00:02:08,490 --> 00:02:14,850
important data than passive information gathering since we are directly interacting with the target.

24
00:02:15,960 --> 00:02:21,700
On the other hand, we got massive information gathering and it is similar.

25
00:02:21,750 --> 00:02:25,770
We got our callisthenics machine and our target.

26
00:02:26,950 --> 00:02:34,720
But we also have an intermediate system or what I like to call a middle source and what this middle

27
00:02:34,720 --> 00:02:35,480
source is.

28
00:02:35,500 --> 00:02:40,860
Well, basically, it could be anything from a search engine to a website.

29
00:02:41,230 --> 00:02:42,790
It could also be a person.

30
00:02:43,000 --> 00:02:49,240
But what matters is that information we get is going through that metal source.

31
00:02:50,400 --> 00:02:56,340
For example, if we want to find out something about a certain target and we Google that target to find

32
00:02:56,340 --> 00:03:02,520
some pages that contain information about it, this is considered passive information gathering.

33
00:03:03,460 --> 00:03:10,180
OK, good, but what are the goals of this, what exactly are we searching for, which information could

34
00:03:10,180 --> 00:03:11,860
be of value to us?

35
00:03:12,860 --> 00:03:20,570
Usually the first thing we search to identify a target is their IP address or IP addresses, if the

36
00:03:20,570 --> 00:03:23,120
target has multiple addresses that belong to them.

37
00:03:24,050 --> 00:03:29,600
This could be, for example, a company that has servers and buildings all around the world.

38
00:03:30,410 --> 00:03:37,310
And if we were to test this company, we would also be interested in their employees to for example,

39
00:03:37,640 --> 00:03:43,910
we will want to gather their emails, which could be useful for a future attack to gain access to that

40
00:03:43,910 --> 00:03:44,390
company.

41
00:03:44,840 --> 00:03:49,570
Or we could possibly want to gather their phone numbers, which could also be useful.

42
00:03:50,120 --> 00:03:56,510
But most importantly, and what we're mainly interested in are technologies that the target has.

43
00:03:57,520 --> 00:04:02,680
If it was a company, we would want to know how many networks they have, what softwares are running

44
00:04:02,680 --> 00:04:08,320
on their machines, what operating systems they have, if it was a website, we would also want to know

45
00:04:08,650 --> 00:04:12,400
how that website was built, which programming languages it has.

46
00:04:12,790 --> 00:04:20,110
Does it have JavaScript or, for example, just one software on one machine that is outdated or that

47
00:04:20,110 --> 00:04:24,730
has unknown vulnerability that could be exploited is our way in.

48
00:04:26,150 --> 00:04:33,110
So now that we know what we are looking for during this first step, it is time we see what tools and

49
00:04:33,110 --> 00:04:38,370
programs can we use to find out as much information as possible about our target.

50
00:04:39,260 --> 00:04:39,860
Let's do it.